The cybersecurity workforce is evolving, but not only with a need for more technical expertise – soft skills are more important than ever for analyzing hacker behavior, communicating training and risks to all corners of an organization, and evaluating legal and financial risks. Dr. Greg White, director of the Center for Infrastructure Assurance and Security at The University of Texas at San Antonio, sets the stage for our all-expert analysis of cybersecurity workforce development.
Come One, Come All: Cyber Security Needs Marketers, Business Analysts and Behavioral Psychologists, Too
By Joanna Burkey, CISO, Siemens
Requirements for a career in cyber security: experience in engineering, reversing malware, ethical hacking, network analysis. All of the above – right? Would it surprise you to learn that is not actually the case? While a background in highly technical topics is useful, even needed, for some parts of cyber security practice, the field is so broad today that practitioners come from almost any imaginable background. To have a satisfying and interesting career in cyber security, the only non-negotiable checkbox is to possess a passion for making the world a safer place.
As a career field, cyber security is still relatively young. This means the industry is still learning and growing when it comes to what types of jobs are available, and the right types of people to fill these jobs. As recently as ten years ago, most professionals within cyber security came from either technical security engineering backgrounds, or were IT practitioners that got pulled into the new and expanding field of security. Now, we are seeing the maturity of security as a topic, joined by an increasing grey area of what exactly cyber security departments do. The job of the technical security analyst is and always will be key, but these analysts are now joined by peers that concentrate on business proximity, internal marketing, financial analysis, risk and compliance, security evangelism – the list goes on!
All of this means that just about any type of background can be useful when working in the field of cyber security. Business experts will find that the ability to “speak the business language” is extremely important for security professionals when forming and growing relationships within a company. Additionally, skill sets like marketing and communications are increasingly useful, particularly internally, as security departments are learning that they must spend time talking about the services they provide to the business. Along with every other department, security groups are battling for an ever-dwindling pile of budget, so financial analysis is a requirement. Behavioral psychology and sociology are being recognized for their importance because security experts must be able to understand how hackers think, and how employees are best trained to be security aware. There is a real shift within information security in the last few years to recognize that effective cyber security programs must include a broad spectrum of soft as well as hard skills in order to be effective.
This is a huge step in the maturity of cyber security as a professional field. In the early days, the thinking was that the right technology could solve most security-related problems. Employees were clicking on too many phishing emails? No problem, let’s deploy an anti-phishing solution! Hmm, that solution is still missing some attacks? No worries, nothing a solid endpoint agent can’t solve. This cycle continued until one day, everyone woke up and realized their internal technology landscapes were conga lines of disparate, sometimes competing, products and services. Worse, attacks were still getting through defensive lines! Technology cannot be discounted entirely, as it still forms the backdrop for every effective security program, but it is now widely recognized that technology is not the only solution. With this awareness comes opportunity for everyone. If everything were still all about the technology, engineers would still really be all that is needed. Because this is not the case, it is possible to find a career in cyber security within a broad set of background skill sets and interests.
So, are you interested in learning more, but you don’t come from a technical security background? Don’t be scared to dive in a little bit. If your focus area is sales, or business analysis, or marketing, you may be ready to hit the ground running. Work on learning the “language of security.” Never before have so many free resources been available online with the purpose of providing information on security topics. TED Talks, vendor webcasts, technical webinars – all of these resources on the Internet provide the basic building blocks to understanding security concepts.
If your background is more removed from the traditional high tech role, then cultivate your network. Actively seek out peers and contemporaries involved in security. Most cyber security professionals are more than happy to talk about what they do, as nearly everyone shares a passion for the subject. These colleagues will be able to tell you what cyber security means at their company, what they are looking for, and give you invaluable tips for breaking into the field. Local meet-ups with a security focus are growing more and more all the time. Look online, just about every city and town will have a set of gatherings from which to choose. Start professional relationships with the people you meet as a result, and you will see opportunities in this field you never imagined.
Keep an open mind, be on the lookout for the ways you can uniquely add to the greater cause, and have a fulfilling career in this exciting area!
The workforce gap is growing. Joanna Burkey, CISO for the Americas at Siemens, explains why you don’t need a background in IT to succeed in a cyber security career.
Addressing the Impending Cybersecurity Workforce Crisis
By Gregory B. White, Ph.D., Professor of Computer Science, UTSA
According to the Global Information Security Workforce Study conducted by Frost & Sullivan for the Center for Cyber Safety and Education, the cybersecurity workforce gap will hit 1.8 million by 2022. This is a 20% increase since 2015. The study incorporated information gathered from 19,000 cybersecurity professionals. Furthermore, 66% of the respondents to the study reported that they don’t have the workers needed to address current threats, not to mention the needs of the future. Of note, the report also made the statement that, “[a]s cyber-risks become increasingly prevalent, organizations must address the worker shortage by finding new recruitment channels, or by raising awareness of cybersecurity among existing IT staff.”
This statement is an especially important point. It identifies two aspects to addressing the shortage of cybersecurity professionals. The first is, naturally, finding ways to increase the number of security professionals. This is the normal response to the many articles that have been appearing over the last few years warning about the magnitude of this impending shortage. The second, however, is not as often discussed, but is at least as significant as raising the number of cybersecurity professionals in the workforce. Instead of only increasing the number of cybersecurity professionals in the workforce, we should be concerned with increasing cybersecurity awareness in the workforce. This can be accomplished through establishing a “culture of security” so that all workers, not just the cybersecurity professionals, understand their responsibility in addressing cybersecurity concerns.
This does not mean that we ignore the impending shortage of cybersecurity professionals, nor does it mean educating the workforce will alleviate the need for cybersecurity professionals. What it means is that with an increasing shortage of cybersecurity professionals, it will become even more important in the future for all workers to understand what they can be doing to help ensure the security of their organization.
The nation is addressing the need for more cybersecurity professionals through a number of different approaches. Programs such as the National Science Foundation (NSF) Scholarship for Service (SFS) program is paying for the education of hundreds of new security professionals every year. These individuals are required to work for the government for an equivalent number of years as their individual scholarships covered. Many of them remain with the government after completion of their obligation, but those that don’t can enter the security workforce industry, addressing their need for security professionals as well. The NSA/DHS Centers of Academic Excellence in Cyber Defense and Research designations have been awarded to over 200 two- and four-year institutions. This also has resulted in a major step forward in terms of producing cybersecurity professionals. Unfortunately, not enough to fill the demand.
A number of programs have been proposed to address the growing need for cybersecurity professionals. The need is especially seen in small and medium sized businesses and in state and local governments. Several states have recently discussed establishing programs similar to the NSF/SFS program where students would receive a scholarship with the agreement that they would work for the state upon graduation. This same approach can be taken by others as well including industry and especially the various critical infrastructures. Where the professionals’ shortage will be harder to address is for small and medium sized businesses that may not have the resources to be able to pay for such programs. Indeed, they may not be in a financial situation that will allow them to hire a team of security professionals or possibly even just a single full-time cybersecurity professional. This is where the second approach will become increasingly important – we need to not just introduce cybersecurity into the workforce, but also have it become an integral part of any business.
When we were young, we all learned that we had a responsibility, and that there was something we could each do, to help prevent forest fires (or wild fires). Public service announcements and programs aimed at the elementary schools taught us at a young age that it was important to address this issue. Similarly, McGruff talked to us about “taking a bite out of crime.” We also learned from our parents or guardians about locking doors in our vehicles and homes. When we later entered the workforce, we already understood the importance of both fire and crime prevention.
Today we need a similar program (beyond the more narrowly focused “Stop, Think, Connect” program sponsored by DHS) that will teach us at a young age that we each have a responsibility to “help prevent cyber wildfires” and to “take a bit out of cybercrime.” This will not be a panacea for all security issues, but if we can have all citizens understand and take the minimum steps to secure their computers at home and at work, then the job our cybersecurity workforce will face will be just a bit easier. Maybe the new mantra we teach our children could be “Update, Encrypt, Backup, and Passwords” or some similar terms that can be easily made into an easily remembered acronym. How much better off would we be if we could get everybody to:
- Update and patch applications and operating systems, making sure that the most current versions are being used, which generally will also be the most secure.
- Encrypt all traffic using VPNs when communicating across wireless networks – especially when in public. Also, encryption of sensitive or personal data in storage should be considered.
- Backup all-important data and programs and ensure that copies of the backups are not stored on the same machine they came from. Use a removable drive or backup to cloud storage.
- Passwords and PINS should be chosen carefully and changed if there is ever a question about a possible compromise. The longer the password the longer it will take to break it using brute force techniques so passphrases are often a better method for choosing a password. Ensure that the password, passphrase, or PIN chosen is not a common one, which simplifies the job for an attacker.
While these will not solve all of our cybersecurity problems, when coupled with the message of “Stop, Think, Connect” which reminds us all to stop and consider whether we should click on a link or execute a program sent to us in an email, a large number of the security issues we face today could be lessened or often eliminated.
Of the many reasons non-technical skills should be welcomed into the cybersecurity workforce, one of the most tantamount is the need for effective decision-making and ethical perspective in access controls. Rebekah Lewis, Executive in Residence and the Director of the Kogod Cybersecurity Governance Center (KCGC) at American University’s Kogod School of Business in Washington, D.C., defends the importance of critical thinking in the cybersecurity.
Cybersecurity Workforce: Re-Examining the Call for Technical Skills
By Rebekah Lewis, Executive in Residence, Info Technology & Analytics, Kogod School of Business, American University
A common misperception often exacerbates and sensationalizes fears about the current cybersecurity workforce shortage: namely, the mistaken belief that the current technological environment requires a significant educational shift towards the prioritization of technical skills. In fact, educators should not overlook the vital need for certain foundational and broadly applicable competencies to meet the challenges and capitalize on the opportunities presented by today’s connected world. In particular, educators and policymakers must continue to focus on the development of strong critical thinking, logical reasoning and communication skills, as well as a dedicated work ethic, all of which are essential to success in today’s cyber landscape. Prioritizing these core competencies – rather than any particular knowledge base or technical skills – will best prepare rising and future leaders to responsibly and effectively navigate new challenges in cybersecurity as they arise.
Many of the key concepts highlighted in the Cybersecurity Framework issued by NIST illustrate the importance of these core competencies to meeting current workforce needs. For example, making responsible decisions related to the category of Access Control within the Protect function (identifier PR.AC) does require an understanding of specific terms and concepts such as mandatory and discretionary access control, rule-based and role-based regimes, and two-person integrity. But, in order for organizations to actually use these mechanisms to effectively and efficiently protect organizational assets, they must answer a variety of non-technical questions, such as: Who should have access to what, and why? What criteria justify the provisioning of privileged access and/or any exceptions to access control policies? What levels of access are appropriate for certain systems and assets, certain personnel? How does an organization articulate and demonstrate “need to know”? When are the needs of innovation and efficiency sufficient to outweigh the security benefits of certain access control measures? These underlying decisions and judgment calls require sound critical thinking skills, as well as an understanding of the organization’s broader goals and priorities. Furthermore, effective and efficient implementation requires sound logic, attention to detail and a disciplined, consistent application of access control policies.
Similarly, the Awareness and Training category under the Protect function (identifier PR.AT) provides another example of the importance of non-technical skills, despite common misperceptions. Until very recently, most organizational leaders have not adequately recognized or resourced this critical issue, instead treating awareness and training responsibilities as “additional duties as assigned” – essentially, add-on work often given to information security personnel. The result has been, in many cases, amateurish materials produced by personnel who are poorly resourced and working against an organizational culture that does not prioritize these efforts. However, in the past couple of years alone, organizations have finally begun to recognize the need to invest in awareness and training as distinct and critical components of effective cybersecurity. With this realization, organizations are now beginning to allocate greater budgets to awareness and training efforts and create full-time positions for personnel with demonstrated expertise in marketing and communications who can create effective awareness campaigns. As with access control, cybersecurity awareness and training requires knowledge of certain technical concepts. Critical thinking and communication skills, however, are equally if not more important to actually using this information, not just to scare, bore or amuse workers, but to create meaningful behavior change and empower the workforce.
Lastly, the category of Anomalies and Events under the Detect function (DE.AE) provides another example of the importance of non-technical competencies. While technology is playing an ever-increasing role in network monitoring and anomaly detection, human beings still play a key role in determining what constitutes both normal and abnormal activity within a specific environment, including fine-tuning technological tools accordingly. Personnel charged with overseeing anomaly detection may have to make decisions regarding the scope of assets and operations that will be used to establish a baseline of “normal” activities, or the particular types of behaviors (e.g., exfiltration of large amounts of data) that might raise a red flag and the thresholds and sensitivity levels that trigger further investigation. They may also be involved in determining what constitutes an appropriate response to a variety of confirmed incidents. To make these decisions, personnel charged with overseeing anomaly detection must have not only a familiarity with cyber concepts and the organization itself, both of which will change over time, but also strong critical thinking, logical reasoning and a dedicated and meticulous work ethic.
The above examples provide just a sampling of the many instances in which the workforce must rely in large part on non-technical skills and competencies to meet cybersecurity challenges responsibly and effectively. Although the current workforce shortage clearly requires increased training and interest in technical, cyber-specific concepts, educators and policymakers should not overlook the importance of these other foundational, broadly applicable skills and competencies, each of which also takes time and training to develop. The inextricable connections and dependencies between what many think of as technical and non-technical concepts are, in large part, what makes cybersecurity so challenging – and so exciting.
Knowing where the internet started and where it’s going is a critical understanding for those in cybersecurity now, and those joining the ranks to help keep organizations and our nation secure. Vijay George, Partner at Stratamation, delves into the intricate ways our world is connected, and what that means for our cybersecurity workforce needs for both technical and soft skills.
Consider a Career in Cybersecurity
By Vijay George, Partner, Stratamation
It is astonishing how quickly the internet has come to be a dominant force in the world’s economy. It took 20 years for ARPNET, the predecessor for the modern internet, to grow into 20,000 hosts from 1969 to 1989 (DARPA). But with the introduction of HTML by the CERN team in 1991, the internet has had an exponential growth (World Bank) where today most people are reliant on it for day-to-day activities.
It is now an important part of all major economies and a driving force in virtually all major economic sectors – and yet it still feels like the early days in terms of maturity. It has given the power of information and communications to almost everyone and almost everywhere. However, it is only now that we are realizing the dark side of this incredibly connected world. Unfortunately, we did not build the foundations of security and privacy into the implementation and deployment of this technology. With the proliferation of information, companies and governments have huge amounts of data on their customers and citizens. Without effectively addressing cybersecurity and privacy, companies risk losing customers and exposure to significant liabilities.
Cybersecurity professionals in short supply
Cybersecurity and privacy is playing catch-up to the sophistication of hackers and the setback from the lack of security considerations built into the internet we use today. So, the need for cybersecurity professionals is immense and daunting. According to a (ISC)2 report published in 2015, by 2020 there will be shortage of 1.5 million cybersecurity professionals. It’s clear that more emphasis needs to be put into training these professionals including high schools, trade schools and universities.
People, Process, and Tools
According to the 2017 Global Information Security Workforce Study done by Frost & Sullivan with ISC2, the needed skills set go beyond technical. In fact, the highest gaps in skills for security professionals is in communications, analytics, and process-related capabilities. In the early days of information security, it was thought to be a very technical job, pursued mostly by specialized network engineers and infrastructure administrators. But, in reviewing the well publicized breaches, it is clear that more successful hacks are related to people- and process-related gaps, rather than a lack of sophisticated technology. This makes it clear that information security has to be scoped for the whole organization, and not just to the technical professionals in the infrastructure and network teams. The need for security professionals to communicate and clearly articulate risk and mitigation steps across the organization is critical.
Across the IT industry
In too many organizations, technology decisions are made without security considerations, and the resulting product implementation is left to the security professionals to ensure risks are mitigated after the decision is made. This is true even in the realm of software and systems development, but is beginning to change with the realization that security and privacy must be considered, designed and built into systems from day one. It is critical every function of IT and software development be included in new technology decision-making processes, as well as trained to deliver secure systems with privacy factors considered, no matter the type or function of the technology under deliberation.
Many of the breaches are caused by social engineering, so it is vital to train each person in an organization on cybersecurity and privacy risks. Today’s generation is introduced to a connected world early, sometimes even as infants, and they easily share their personal information online. Cybersecurity and privacy must be taught early at home and in school, and good cyber hygiene must be continuously reinforced.
Security and Privacy professionals needed across the enterprise
As the breadth of areas where cybersecurity must be applied is broad and multifaceted, so cybersecurity professionals must reach a broad set of stakeholders and apply a multitude of skills. These skills go from the highly-technical, to psychology and sociology to cover the impact of all threats in our connected world. Cybersecurity professionals will continue to be in great demand, and will cover a broader range of skills as specialization begins to become more common.